Take me to Mac network security school.
December 5, 2007 6:12 PM Subscribe
I noticed this morning in my system logs that I had some failed FTP and SSH login attempts from an IP in China. I thought I was going to have get all Cliff Stoll on this guy, but then looking back further I saw that this has been happening for months, from lots of different IP addresses.
posted by jeffxl to Computers & Internet (9 answers total) 5 users marked this as a favorite
I'm many things, but I have never claimed to be a network guy. I know my way around the command line, for the most part, but after the basic network utilities, I'm done. Further, I've been pretty lax with network security, generally having a "wouldn't happen to me" sort of attitude about hackers. That being said, I admittedly have a very insecure setup between the outside world and my computer. My router is set with DMZ to my computer, so I can get to it easily. I have web sharing, remote desktop, ssh, ftp, and afp enabled -- and use all of them regularly. Up until about half an hour ago, I also had my software firewall disabled.
On the other hand, fortunately, my passwords are strong, and the root account isn't enabled.
After seeing the mountain of failed login attempts, I've become a little more paranoid, and would like to be more cautious. A few questions, though:
1. These people trying to break in, do you they just do pings of a range of IP addresses until one responds, and then have a program that just tries a whole lot of logins/passwords at that IP? I see lots of attempts for Administrator, root, and mysql, but there are also attempts for random ones like 'raphael'. What's the deal?
2. I have test users on my system for debug purposes, some of them with admin rights. Is there any way to disallow these users to log in with ftp and ssh? How paranoid should I be?
3. I'd still like to be able to access my computer from the outside world using the same services I have been before, but I'm thinking I should start using my firewall properly, and take off DMZ and enable port forwarding instead, right? Question is, how is this any better at preventing break in attempts? If I can get in here from the outside, they could too, right?
Any other tips, suggested readings, or words of wisdom? School me.